'strict-dynamic' should allow workers. |
||
Issue description`new Worker()` should work, given a policy like `script-src 'nonce-abc' 'strict-dynamic'`. Ditto for `importScripts()` (which I think already works).
,
Apr 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/7c484b27809886d417e55bedad7780d62d148c6d commit 7c484b27809886d417e55bedad7780d62d148c6d Author: mkwst <mkwst@chromium.org> Date: Thu Apr 06 15:13:54 2017 CSP: 'strict-dynamic' should allow 'new Worker()' This was an oversight when launching 'worker-src'; 'new Worker()' is now covered by 'script-src', and should be allowed in the presence of 'strict-dynamic' (as it has the same properties as any other script execution. BUG= 708982 Review-Url: https://codereview.chromium.org/2805673002 Cr-Commit-Position: refs/heads/master@{#462475} [add] https://crrev.com/7c484b27809886d417e55bedad7780d62d148c6d/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-strict_dynamic_worker.https.html [modify] https://crrev.com/7c484b27809886d417e55bedad7780d62d148c6d/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp [modify] https://crrev.com/7c484b27809886d417e55bedad7780d62d148c6d/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.h
,
Apr 7 2017
|
||
►
Sign in to add a comment |
||
Comment 1 by mkwst@chromium.org
, Apr 6 2017